How we use your information

Your information, what you need to know

We are responsible for buying health services to serve you and others in East Surrey. This is known as commissioning. It includes services such as hospitals, community and mental health services as well as non-standard services such as those offered by charities.

All GP practices in East Surrey are members of our Clinical Commissioning Group (CCG). Our role is to make sure that appropriate care is in place for you and others, both today and in the coming years.

How we use personal information can also be found in our registration with the Information Commissioners Office under the reference number Z3622215.

For full details on how we process your information please refer to our Fair Processing Notice​.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.

The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.

We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 1998.

We work closely with NHS South, Central and West Commissioning Support Unit to help ensure that your information is kept confidential and safe. You can read more about this in the following sections.

Decommissioning of services

Where we hold legal responsibility for information about you we will retain this responsibility until it is formally dissolved or the responsibility is appropriately transferred, even if we do not directly hold the information.

Please be aware that we are not responsible for hospital records or information held by your GP e.g. your GP record.

Employee information

We collect information about individuals who work for us for the following purposes:

  • the administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers
  • the recruitment and selection process
  • administration of non-CCG staff contracted to provide services on our behalf
  • planning and management of our workload or business activity
  • occupational health service
  • administration of agents or other intermediaries
  • pensions administration
  • payment administration
  • disciplinary matters, staff disputes, employment tribunals
  • staff training and development
  • ensuring staff are appropriately supported in their roles
  • vetting checks
  • assessing our performance against equality objectives as set out by the Equality Act 2010

Any patient or member of staff can apply for a copy of the records we hold about them by following the same process below.

CCG oversight

We have assigned a Caldicott Guardian and Senior Information Risk Owner who have oversight of the handling of information within our CCG as well as support organisations that we may buy services from. The Caldicott Guardian has the role of overseeing and making decisions on information sharing. The Senior Information Risk Owner is accountable for information risk. Both roles are supported by the Information Governance Steering Group (IGSG) which meets regularly to discuss issues related to information governance. The group is formed of senior representatives from each team within our CCG and is chaired by the Senior Information Risk Owner.

NHS South, Central and West Commissioning Support Unit provides administrative support for a number of CCG functions for several local CCGs. 

National initiatives

If you would like to find out about national initiatives that may affect you, please visit:

Accessing your information

Under the Data Protection Act 1998, you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request. Please be aware that we can only provide information held by us at the CCG and not information held by any other NHS organisation e.g. your GP.
We may charge a fee for the administration of the request, as prescribed within the Data Protection Act 1998 and in line with ICO guidelines:

  • If the information is only held electronically we may charge up to £10
  • If the information is only held wholly or partly in paper format we may charge up to £50

If you wish to make a Subject Access Request or have any other concerns or questions please contact the Information Governance Team at:

NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
RH8 0BT​
Tel 01883 772800
Email: scwcsu.igenquiries@nhs.net

Please note that in order to respond to a Subject Access Request we will need to share information about you with South East CSU.

If you are not happy with our response to your subject access request please refer to our complaints process. If you have exhausted this process, wish to take your complaint to an independent body, and your complaint relates to Subject Access Requests or the handling of your personal information, you can contact the Information Commissioner's Office in writing at the following address:

Wycliffe House 
Water Lane 

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

They are also contactable via email: casework@ico.org.uk 


If you have a comment, compliment or complaint about health services in East Surrey then please contact the complaints team.

If you would like this document in large print, on tape or in another language please contact us:

NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
RH8 0BT​
Tel 01883 772800​
Mobile 07827253111
E-mail: carol.rowley4@nhs.net